The Growing Threat of Targeted Ransomware

Ransomware targeting organizations is a growing threat. The extent of that threat is not always obvious. Except for the healthcare sector, disclosure of a ransomware attack is not generally required -- so victims will not necessarily report an incident. This is exacerbated by those victims who simply pay up and recover their files without the problem becoming obvious.

A new analysis from Symantec (PDF), using its own telemetry, shows the extent of the growth in targeted attacks against organizations over the last two years -- and especially since the beginning of this year.

Before the start of 2018, the SamSam group was the only ransomware group targeting organizations. Its attack against the city of Atlanta in March 2018 brought it to the media's attention. Atlanta declined to pay the ransom, but the subsequent cleanup costs-- which will almost certainly exceed $10 million -- ensured that the incident, including the attraction of targeting larger organizations and the pros and cons of paying ransoms, kept eyes focused on SamSam throughout 2018.

What was less obvious, however, was that a new group had arrived: Ryuk. After the indictment of two Iranian citizens for the involvement with SamSam, new SamSam attacks dipped in November and December 2018; but began to increase again from January 2019. In fact, there were more SamSam attacks in April 2019 than any previous month. But media attention had moved on from SamSam.

Ryuk was now the center of attention, possibly because of its involvement in a major ransomware attack against Tribune Publishing in December 2018 -- just around the time of the SamSam indictment. In fact, Ryuk attacks have been more frequent than SamSam attacks in almost every month since Ryuk first appeared in February 2018.

Ryuk is believed to be an evolution of the Hermes ransomware that first appeared in 2017. The actors behind Ryuk are still unknown, with North Korea, Russian hackers, and a blend of both being variously blamed.

Possibly because of the success of these two groups, new targeted ransomwares have emerged in 2019. GoGalocker (also known as LockerGoga) was the first in January, and was followed by MegaCortex and Robbinhood in May. "In quick succession, [GoGalocker] was deployed in targeted attacks against a range of organizations, causing serious disruption for several of its victims," says Symantec. One of the victims is thought to be Norsk Hydro in March 2019.

Interestingly, GoGalocker has a high proportion of its victims located in Scandinavia. Overall, the U.S. is the country most affected by targeted ransomware attacks, with almost 900 victims between January 2017 and May 2019. Partly, this is because of the almost total focus on the U.S. by SamSam, but almost certainly also because of the concentration of large and attractive targets. This is not so with GoGaLocker. Scandinavian countries account for 46% of affected organizations, with the U.S. accounting for a relatively lowly 23%. It isn't known why GoGalocker focuses on Scandinavia.

MegaCortex first appeared in May 2019, targeting organizations in the U.S., South Korea, Italy, Israel, and the Netherlands. There are similarities between GoGalocker and MegaCortex, which targeted 11 organizations in May. The similarities are more internal than in deployment -- both, for example, use Cobalt Strike malware. "Furthermore," says Symantec, "one of the Cobalt Strike beacons used in a MegaCortex attack connects to an IP address (185.202.174[.]44) that is also mentioned in FireEyeís report about GoGalocker."

Symantec suggests, "While it is possible the two groups of attackers are linked, it may also be the case that the ransomware was developed by the same third-party developer for both groups."

RobbinHood is the latest targeted group to emerge, believed to be behind the city of Baltimore attack. Samples of RobbinHood were found by researchers in April. However, there is little yet publicly known about the malware or the group behind it. There were early suggestions that the Baltimore infection had been through use of an EternalBlue exploit, but this has not been confirmed. Brian Krebs has raised the possibility that it may be a new group trying to marry the concept of ransomware-as-a-service (as used by GandCrab) to targeted attacks.

The two primary differences between targeted attacks and the early versions of spray-and-pray ransomware attacks is the size of ransom demanded and the technical expertise of the hackers. Symantec has analyzed six stages of a targeted attack: initial (typically involving PowerShell); lateral movement (typically with Mimikatz and/or Putty); stealth and countermeasures (with signed malware and disabled security software); ransomware spreading (typically through batch files and PS Exec); triggering the encryption; and finally the ransom demand.

In January 2017 there were just two targeted attacks per month. By May 2019 this had risen to more than 50 per month, with the sharpest increasing occurring in 2019. There have already been at least two and probably three new targeted attack groups discovered. The pace of targeted attacks is clearly increasing, and it looks like it will continue to increase. Targeted ransomware attacks have evolved into one of the biggest cyber threats to business today.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.